[PATCH v2] TaskTracker : Simplified thread information tracker.

[Tetsuo Handa]

On 2023/08/08 3:54, Steve Grubb wrote:
>>> What I would suggest is to make a separate record: AUDIT_PROC_TREE that
>>> describes process tree from the one killed up to the last known parent.
>>> This way you can define your own format and SYSCALL can stay as everyone
>>> expects it to look. In the EXECVE audit record, there is a precedent of
>>> using agv[0]=xx argv[1]=xx argv[2]=yy  and so on. If you want to make
>>> these generally parsable without special knowledge of the record format,
>>> I'd suggest something like it.
>>
>> Yes,
>> https://lkml.kernel.org/r/201501202220.DJJ34834.OLJOHFMQOFtSVF@I-love.SAKU
>> RA.ne.jp used AUDIT_PROCHISTORY instead of LSM hooks, but that thread died
>> there.
> 
> I do not read that mail list. AUDIT_PROC_HIST or AUDIT_PROC_CHAIN or some 
> thing like that would be the better way to go. If someone wanted to see if 
> they have process history for a segfault, how would they do it with the 
> proposed record?

Avoid bloating of audit log files could be done when saving into audit log
files, but avoiding overhead of tracking/recording this history information
would need to be done using kernel command line options.

Is there a kernel command line option that can configure whether to include
(and what to be included into) this history information or not?

If an LSM is used, a kernel command line option like lsm=tt can be used for
telling the kernel to include this history information and kernel command
line options like tt.size=512 tt.fields=name,stamp for telling the kernel
max history length and fields to include.